Slashdot Mirror
Hackers Hijacked ASUS Software Updates To Install Backdoors on Thousands of Computers (vice.com)
ASUS is believed to have pushed malware to hundreds of thousands of customers through its trusted automatic software update tool after attackers compromised the company's server and used it to push the malware to machines. From a report: Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the world's largest computer makers, was used to unwittingly to install a malicious backdoor on thousands of its customers' computers last year after attackers compromised a server for the company's live software update tool. The malicious file was signed with legitimate ASUS digital certificates to make it appear to be an authentic software update from the company, Kaspersky Lab says. ASUS, a multi-billion dollar computer hardware company based in Taiwan that manufactures desktop computers, laptops, mobile phones, smart home systems, and other electronics, was pushing the backdoor to customers for at least five months last year before it was discovered, according to new research from the Moscow-based security firm.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
The researchers estimate half a million Windows machines received the malicious backdoor through the ASUS update server, although the attackers appear to have been targeting only about 600 of those systems. The malware searched for targeted systems through their unique MAC addresses. Once on a system, if it found one of these targeted addresses, the malware reached out to a command-and-control server the attackers operated, which then installed additional malware on those machines. Kaspersky Lab said it uncovered the attack in January after adding a new supply-chain detection technology to its scanning tool to catch anomalous code fragments hidden in legitimate code or catch code that is hijacking normal operations on a machine. The company plans to release a full technical paper and presentation about the ASUS attack, which it has dubbed ShadowHammer, next month at its Security Analyst Summit in Singapore.
Give ti a cool name:
Check.
I am not your blowing wind, I am the lightning.
Why don't they hire people who know what they are doing?
Laws are rules for the court, but merely a bottom bar to hit for life. Think beyond laws in your actions always.
Learn to code
"Hackers" did this, did they?
Hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm I wonder
Now this is something scary. Any company that takes security seriously uses a HSM to ensure that at worst, bad guys have to compromise the HSM specifically to generate signatures.
At the minimum, and this is a MS recommended practice, the cert signing computers should be air-gapped to require a physical presence to sign something. The fact that this isn't done for a critical hardware company is extremely worrisome.
For something as critical as updates, it is actually shocking that a HSM isn't used. These are not expensive... YubiKey sells a HSM for $650.
WTF, it's 2019. Doesn't everyone know by now, that you never, ever want to get your software from the same people you get your hardware from? It sucks that with phones, most of us still have little choice. But for desktops?! Preloaded software is so 1980s.
What files should I check for? How can I remove it myself? All this hue and outcry about hundreds of thousands of installed backdoors but Kapersky won't say what files to look for?
Yes, but we designed RAD tools that convinced even the most illiterate dumbass that he can write code. Everyone can copy/paste from stackexchange and that's what doubles as "coding" today.
I call it "total job security". Yes, I'm in IT security.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I thought Kaspersky changed it's base of operations to Switzerland because of the recent problems with the US Government?
My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router. Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"
Leftist?
Comment removed based on user account deletion
And, as usual, nothing much will happen. The vast majority just pay lip service to security, but don't really put their money where their mouth is. Why? Because it is not worth their while. It is far easier, and better for their bottom line, to talk big about security, than actually taking the necessary security steps. Because when the inevitable security "disaster" occurs, nothing much happens. And that is the case because it is not in the interest of any of the major players for anything much to happen. Which is why this really is a nonevent, and why ASUS will carry on selling their stuff pretty much as though nothing had happened, without having to compensate anyone for the damage inflicted by - in this case - ASUS's lackadaisical approach to security - in a few weeks time, somebody else will be in the hot seat anyway.
Until security issues have serious repercussions (not Mickey Mouse ones) on those responsible, nothing will change.
The AC is referring to the people who prefer the use of the left hand for fun and profit. They've got mythical powers to confuse the rightist handshakers everywhere.
I forked over all the money about a year ago for an ASUS ROG Zephyrus gaming laptop, mainly because it was the first to market using the new nVidia standards that let a 1080 series video card run in a slimmer laptop while still getting adequate cooling.
Well -- I woke up one morning to find my keyboard bulging upwards around the S, D and F keys.
The battery in it blew up like a balloon, to the point it's deforming the keyboard on top of it. A quick search on the net reveals a bunch of complaints about the exact same issue, mostly on the ASUS forums. Not a single word from ASUS support acknowledging the problem. Several people got their batteries replaced under the 1 year factory warranty, but that required sending the whole machine in to be serviced (at your own expense for the postage) and long delays to get it back. Outside the warranty, they quoted people over $400!
I was rather shocked at their unwillingness to try to proactively address what could really become a fire hazard.... but now, seeing this mis-use of their update service too? I'm convinced ASUS just wants to maximize profit margins while doing things the cheapest way possible. I think far less of the brand than I used to.
It's hackers that did done hacking with hacks!
My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router.
Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"
I don't currently use asus devices, but it doesn't make sense for this to be your issue. Installing a backdoor on your Windows OS would not affect a TAILS bootup. In your case, I'd suspect the wifi adapter itself, first. Do you have a USB wifi you can plug in for testing? Or ethernet cable? When the internet connection goes out, can you still access your router?
My primary device is an asus laptop I bought for school a few years ago, over the course of the past week or so my home network has been losing internet (no connection available across multiple devices, but the wifi is live). I've been going back and forth with my ISP about it, first replacing the modem my next step being to replace the router.
Has anyone else with an asus device noticed issues like this? Could this be the issue? Ive even tried loading centos and tails just to get the same the "no internet connection available"
Whoops, missed the "across multiple devices" part -- which would point more towards an issue with either router or modem...
First thing I did was pull the win10 HDD, put in a 500G EVO SSD and loaded Ubuntu.
Serious question - am I safe or will my BIOS update get me the firmware?
I only kept the Win10 HDD to use if any warranty support is needed. In a few years, I'll probably wipe it and put it into a USB enclosure to be used for a 3rd backup copy of things-that-would-end-my-marriage-if-lost files.
Most likely this has nothing to do with network connectivity issues. The malware took very great care to be invisible unless activated, and the server where the second payload should have come from has been down since at least November 2018. In other words, anything happening to you for the last 2 weeks is most likely not due to this.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The links above, live:
Many Windows 10 Users Unable To Connect To Windows Update Service.
Windows 7 Users Who Installed January Update Report Network Issues; Some Say the Update Has Also Incorrectly Flagged Their OS License as 'Not Genuine'.
Windows 10 Will Reserve 7GB of Your Computer's Storage in its Next Major Release So That Big Updates Don't Fail.
Latest Windows 10 Update Breaks Windows Media Player, Win32 Apps In General
Microsoft Resumes Rollout of Windows 10 Version 1809, Promises Quality Changes.
Microsoft's Problem Isn't How Often it Updates Windows -- It's How It Develops It.
More links to stories showing that Microsoft is VERY poorly managed:
Windows 10 is possibly the worst spyware ever made. "Buried in the service agreement is permission to poke through everything on your PC." (Aug. 4, 2015)
Windows 10 shows you ads while you are trying to work. But, at least at present, you may be able to stop at least some of the advertising: 7 ways Windows 10 pushes ads at you, and how to stop them.
Microsoft's Intolerable Windows 10 Aggression (May 27, 2016)
Microsoft is infesting Windows 10 with annoying ads (March 17, 2017)
Microsoft, stop sabotaging Windows 10. (March 21, 2017)
Bill Gates still manages Microsoft: Two years ago, during a Jan. 17, 2017 discussion with Charlie Rose, Bill Gates said he spends "15 percent" of his time managing Microsoft. I interpreted that to mean that Gates is still extremely involved and very influential. Did Gates want the mess that is Windows 10?
From the transcript at that Charlie Rose web page:
08:42
"Bill Gates: I'm there about 15 percent of the time. And I get to work just on the R and D part, brainstorming with people, thinking, OK, how are we going to take this artificial intelligence and make it understand, help you use your time better. It's a very exciting time in software. There's five companies that are, you know, in a really strong position. Microsoft is leading in some really cool stuff so --"
It seems obvious that Bill Gates still has a huge amount of overall influence on the management of Microsoft, even if he mostly focuses on other subjects.
wtf? Why do you bring the left into your argument?
No way, no way, not witou my anus.
It could be a high level state actor looking for high value targets.
Or this is the test exploit verifying the ability for field testing. Subsequently they might have installed other back doors, and erased those operations from the update process. They forgot to clean up the original test code.
Given the level of persistence these things can have, it would be really impossible to clean up the infected ASUS machines.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Awesome!!!
There are software engineers. There are people that are well trained as engineers in the real of producing software and have been selected for talent and insight. There are also gifted amateurs that are almost as good. But these people are a small, small minority in the coder population.
It is time to require that engineering degree and have the self-taught people come in and prove they can do as well. (Little known fact: You can get almost any academic degree without going to university by proving equivalent skills and a few years real-world experience in the field. At least in Europe you can.) And then degrade the rest to technicians and prevent them from designing anything and from working on software unsupervised by engineers. Have any company that does produce software and does not follow this be liable for any and all damage caused to an unlimited degree.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
PC's, tablets and phones which have Never been updated have been working smoothly for many years at my house.
We never update, and block most traffic at the router in and out.
Can't get infected by anything if you don't update anything and use an ad-blocker.
Seems like everyone else is doing it wrong.
Don't be sheep. You do not have to put up with companies like microsoft which prey on you.
I am also in IT security and I cannot say I disagree. Although as part of my job I do security coding at full consulting rates. That is about 3 times what our customers pay for regular coders and it is eminently worth it for them. I mean, "senior web developers" with > 5 years of experience that do not even know what a HTTP request looks like? These people are worth worse than nothing. They would be very expensive if they were free. It is utterly pathetic. And this is from a Fortune-500 company that critically depends on its IT.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I agree, except for the political bullshit part.
There is a reason why there are only amateurs in IT. For bridgebuildibg there is accountavility if you do it wrong. If you hired people who are unqualified, you are held accountable.
All political parties have decided that such a thing is not needed in IT, so nno laws in that direction exist.
Just only now have they started this in lefist Europe with GDPR and this kind of thing is not even really included.
Don't fight for your country, if your country does not fight for you.
There will always be a certain percentage of people in *any* population that have what it takes to be great programmers. You catch those stars by giving basic computer courses to everyone. Not everyone is suited of, course, but a basic course in computers (and online security, etc.) isn't a bad idea anyway.
Your logic is broken; if there's a star out there, you can see it. THAT'S WHAT MAKES IT A STAR.
Such people know who they are and what they want, and they find a way; by their very nature, they don't require hand-holding—they don't require special ignition by some intelligent designer.
Indeed, such people are usually restrained by the kind of intervention you're proposing, because such intervention tends to be conventional and mundane, just like most of the students.
You need contracts. "Law" by contracts is far superior to law by legislation.
You're clearly a fucking douche but I'll bite: the physiological differences between Sub-Saharan Africans (i.e. pureblooded CroMag-type Homosapiens) and the rest of us [bastard Neanderthal halfbreeds] are so irrelevant that it's ridiculous: any statistically-noticeable differences in performance, physical or cognitive, are entirely explained by culture/upbringing/nutrition/etc.
Start thinking about how the signing for Microsoft Windows updates, or Linux updates is handled.
Hint: The day to day packages are NOT signed by an HSM release key, even if they are available for actual numerical releases. Update packages or dev packages however....
And you only need to be infected once for it to persist, potentially forever.
Furthermore, this completely explains why yhe behavior of poor whites is usually indistinguishable from that of [poor] blacks.
Ha, ha, ha! The National Security Administration has been exposed AGAIN!
The article makes it sound like this only affected those who trust ASUS's automated updated. I despise these third-party automatic update utilities and always go looking for BIOS/driver updates myself every few months.
So the question is - is this affecting *only* binaries that were pushed out through this automated system, or does it also affect other updates that have to be retrieved manually?
Yes. I know. I currently have the (questionable) pleasure of being in charge of IT security for such a company. What really ticks me off is when people get detailed information on what security flaws exist and they "fix" it in a way that betrays that they don't even remotely try to understand the underlying issue. Look, I don't even expect a web developer anymore to know what a HSTS header is. But that they can't even be assed to at least take a look at what it is when the pentesting team pretty much rubs their nose in it really pisses me off.
As an example from a few years ago, the test reported a missing HSTS header. One should assume that it's an easy fix (provided that the certificates are ok, which they are). What did the geniuses do? Set a HSTS Header with a max-age of 0, of course. I have rarely seen a more blatant example of tick-box fixing than that. They very, very obviously did not even attempt to understand just what that effin' header is here for. The train of thought was very obviously a) Header is missing, b) we set the header somehow, preferably in a way that doesn't require me to test it (I still presume ignorance. It IS the lesser crime) c) I can close the fucking ticket.
THIS pisses me off. I don't even expect programmers anymore to know shit about security. Even after weekly training courses. But what I still DO expect them is to think when implementing something. Else I can get cheaper code monkeys from India.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That's a straw man; the contract in your scenario just needs improvement—no need to wait for politicians to agree on legalese.
There are no "Software Engineers" [slashdot.org]:
Re:There are no "Software Engineers". [slashdot.org]
Re:There are no "Software Engineers". [slashdot.org]
I thought Kaspersky Lab had been banned already for making Merican AV companies look bad by actually finding exploits, hacks and security breaches and most importantly publishing details about so people can take steps to protect them selves against the likes of the NSA with the unlawful spying.
What makes you so entitled to someone else's resources?
Why would you blame your laptop when the problem is occuring over multiple devices. Even if your laptop is messing with your router you can easily rule out the laptop by having it switched off.
Such relationships can be handled by contracts; there is no reason for legislators to be involved.
If you don't believe that your society's system of contract negotiation or dispute resolution is adequately sophisticated to handle the situation, then the correct response is to spend time thinking about how to make this system more robust; the wrong response is running to the men with guns, begging them to save you, because that is a devil's bargain.
I think it is our strength: Blacks are good for sports; whites are good for thinking.
As demonstrated by Trump vs Obama. One ran a country properly, the other disappeared for golf at every opportunity.
Furthermore, this completely explains why yhe behavior of poor whites is usually indistinguishable from that of [poor] blacks.
Uhm, what? It most certainly does not. Not in any important way.
According to FBI crime stats over 50% of all solved murder cases have a black male perpetrator. Blacks are about 13% of the US population. Black males are about 6.5%. That is just staggering. There is no shortage of poor whites.
Why would you blame your laptop when the problem is occuring over multiple devices. Even if your laptop is messing with your router you can easily rule out the laptop by having it switched off.
Because a little basic reasoning might not be so effective at getting attention.
The max-age of zero is nice! "Zero-insight coding" is what I call that. I have seen such things as well.
I do strongly recommend against the code monkeys from India though. They will make things even worse. All the competent people from India are not cheaper than western devs. The others are really, really bad. The made the all-time worst implementation of a feature (that still worked, somewhat) that I have seen: A piece of code that was used to remove duplicated from an SQL-query result. They used a manually coded bubble-sort, i.e. O(n^2) for that. In Java. In a situation where you could have a lot of results. The code was too slow (500ms mainframe limit) even with test data that was nowhere near production-sized. Of course, Java has better sorting in O(n log n). Of course Java has hash-tables which give you close to O(n) for this task. Of course, they could just have told the DB engine to remove the duplicates. Oh, and variable names were > 80 characters with sometimes only 1 char difference. And some other things. If found this while doing an interface review and I was not even looking at the code. But that double-loop just looked immediately wrong.
Needless to say, the project failed. But here it comes: This was the second time this failed and the project "leader" that screwed the outsourcing up had already killed the first attempt by the same mistake. India both times. Each time this took something like 3 years. And he did not get fired the second time either. It is absolutely no surprise that with corporate culture being this bad (i.e. it matters who you are in bed with, not what you can and cannot do) things are completely messed up.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
* Laws as you describe them are a dumb man's game; rather than construct a system of well-defined interfaces for facilitating interaction among people, the powers-that-be just say "Fuck it! Do as your told!" That's an ancient and downright dumb approach that has many awful ramifications. We have to escape it.
* Enforcing contracts is a service; there's no requirement that this service be provided by a monopoly, let alone a monopoly that grew from imposition rather than from providing a voluntary service.
Contract negotiation and enforcement is an iterative process, not a recursive process; there is no infinite regression that needs to be solved by having The One True Authority.
Actually, not quite .... The whole innovative thing with the ROG Zephyrus was the idea the laptop would be slimmer, like a typical laptop, when you carry it around with the lid closed But when you open its lid, the bottom cover also lifts up in back, creating a bunch of extra airflow in and out of the case.
It's kind of a smart concept, IMO. A lot of people were buying various laptop stands to tilt their laptops forward at an angle while using them anyway... This just does the same thing without needing any extra equipment, and makes it functional at the same time.
(It's also smart enough so if you want to run it with the lid closed, using only an external monitor? It auto throttles the GPU so it won't overheat in that scenario.)
Only real issue I have with it is the poor quality and odd-shaped battery they used. It's nearly impossible to locate replacements for it and who knows if the current versions are less likely to blow up?
I did very poorly in my basic classes. I'm an inverted person. The more difficult a problem, the better I do at it. Many gifted people are inverted. Then there's the issue of creativity in software engineering. There is no generally accepted way to measure creativity, which is a core skill of problem solving. Essentially, there is no standardized or "basic" test to discover "great programmers" with a low false negative rate or false positive for that matter.